Although many CISOs see automation as a necessity to deal with limited resources and increasing workloads, there is a lingering reticence to adopt it widely because their security staff sees automation as a four-letter word.
The vilification of automation arises primarily from a fear of false positives. Those fears are fueled by stories of disconnected CEOs, downed DHCP servers, and manufacturing line interruptions that resulted in security leaders “being made available to industry.” Many security staff can point to a negative experience they or a colleague has had, and whether small or large, those experiences are hard to forget. So while the CISO embraces the idea, the practitioners dodge the practice believing they are managing, albeit barely, without it.
So why bother with automation? Because we have to. Fighting sophisticated attacks that have dramatically accelerated attack timeframes with manual labor is like trying to race a Ferrari on a tricycle -- you’re going to wear yourself out and get lapped a lot. Despite improving preventative controls, many companies will witness more threats than ever before successfully bypassing existing isolated defenses and evading security operations teams. Verizon’s 2015 DBIR indicates that in 60% of hacking cases the hacker is inside the target network in minutes. That hacker will then move rapidly throughout the network, making it beyond patient zero within 24 hours. The volume and sophistication of these external threats will increase the pressure and difficulty for security operations teams who detect, contain, and remediate incidents.
The secret to success is connecting data and process flows across operational silos with preapproved workflows so that containment, mitigation, and remediation happen quickly and automatically. There are many tasks and workflows that used to be done manually that have migrated successfully to an automated process -- think email, texting, social interaction (Facebook, Instagram, etc.), bill paying, and check deposits. Are they perfect? No, but they are incredibly efficient, and the risk of issues is low given the volume of transactions so people have readily embraced the transition.
This same transition has happened to some extent across IT as well. Certainly email is something none of us could live without. Development and QA teams have increasingly become reliant on automated test rigs to allow them to gain greater leverage from their time. And even security teams have automated intelligence gathering, monitoring, analysis, and alerting, where time is of the essence. Automation speeds up these tasks and makes them happen consistently, with little risk of negative user impact.
How do we practically balance and decide what can be automated and what requires human engagement? We ask humans to do the jobs where humans make a big difference -- problem solving, forensic detective work, cross solution or environmental analysis, and complex remediation creation. We let the computers do the manual, process-intensive, and tedious tasks that are the most error-prone and enervating. People decide which actions are appropriate to automate. When a specific workflow or decision has been made repeatedly without incident, it becomes a candidate for full automation.
We can also reduce risk with the combination of automation and human approval. Many tasks can be scripted as a workflow but only triggered when a person approves, or presses the “yes” button to confirm that it is indeed a good idea: safe, predictable, and justified. Workflows improve consistency and positive outcomes because these tasks can be scripted, validated, and shared across teams. Workflows can also be set up to trigger only when certain administrator-defined thresholds or conditions are present.
Further, risk can be mitigated by creating groups based on role, asset value, system type, location, and other contextual concepts. By associating policies and workflows with these groups, we can manage the systems and software that are allowed to be affected by workflows. This model reduces the chance of a false positive disrupting a privileged user or service. The same model also facilitates prioritization of automated monitoring of changes to key systems, which can use alerts and alarms to focus administrative attention on the events that matter most to the business.
Automation isn’t a four-letter word. We just need to apply the compensating safeguards and automated controls selectively so both CISOs and their security teams can comfortably embrace it.